My colleague Mike Parker has a great new series of posts up on securing Exchange Server 2016 with Azure AD. This option may seem counter-intuitive at a glance, but given that most organisations are on a trajectory from Exchange Server to Exchange Online, this configuration can consolidate access control for e-mail in a single location (for instance, over the duration of a migration or for long-term co-existence). It also means that Azure AD Conditional Access policies can be used for Exchange resources on and off-premises, which improves security while enabling mobility.

This configuration has two parts:

Get most Exchange Server components to use OAuth 2.0. This is known as Hybrid Modern Authentication.

The second step is necessary because these components are not currently supported for Hybrid Modern Authentication. The major pre-requisite for publishing an application with the Azure AD Application Proxy is that it should be authenticated with Kerberos and the Application Proxy Connector machine accounts need to be configured to use Constrained Delegation (KCD) for the OWA and ECP Service Principal Name (SPN). Mike’s article takes you through all of this step-by-step. My post deviates a bit from Mike’s guide to consider the idiosyncrasies of the Exchange Alternative Service Account Credential (ASA), which has underpinned Kerberos in Exchange Server since 2010 SP1. If you are familiar with configuring Kerberos, the ASA will almost certainly hold some surprises. Maybe even a fourth head.

AD FS 2012 R2 ships with the InsideCorporateNetwork Claim. It evaluates to “True” when a request is received directly at AD FS, or “False”, if a request is received at the WAP. This Claim doesn’t exist in AD FS 2.0/2.1, and it’s fair to say this is one of the more poorly understood differences in behaviour across the versions.

I’ve recently been asked to find out if it’s possible to create an InsideCorporateNetwork Claim in AD FS 2.0/2.1. The benefit of creating it for the older versions is that InsideCorporateNetwork would be usable in exactly the same way that we use it in AD FS 2012 R2 and later, which opens up the following options: Continue reading “Creating an InsideCorporateNetwork Claim for AD FS 2.x”

I don’t typically politicise my technical Twitter account, nor this blog, but some technical problems are political. It is impossible to engage with security in any depth without confronting political issues. Earlier today, I dumped some thoughts on a private Twitter account, and a friend asked me to make them public. Here’s are those Tweets:

SMBv1 is a widely-used file service that has been actively deprecated by Microsoft for an eternity, but which is present in lots of devices like NAS, networking kit and other networked devices like Sonos. Microsoft runs a program to help vendors deprecate SMBv1, but these are the kinds of things that hardware vendors routinely fail to do well.

Some instruments simply will not work if they get patched, to address issues like SMBv1 weaknesses. However, these devices need to be isolated through controls like effectively segmenting the network, or not networking them at all.

No security professionals should be surprised that WannaCry is happening.

The NHS (and most of the public sector) needs money to dig itself out of a mountain of technical debt. This is not an IT/security problem. It is an inevitable consequence of the Tory assault on NHS. If people die, we know who holds blame.

One further thought post-tweets. Some people may rightly point out that some of the funding issues and IT problems at the NHS began under Labour, but the world has changed significantly since the Conservatives came to power, and there has been an unequivocal failure to engage with those issues meaningfully where budgets have been slashed. It is not possible to adapt to contemporary threats with the obsolete technologies in use today. This will not be the last significant failure of critical infrastructure unless the coffers are topped up, and even then we can’t expect upgrade projects to happen more quickly at the NHS than they do elsewhere. This basically means that even if budgetary problems are instantaneously solved, it will still take more than a year with the best will in the world to get these risks down to manageable levels.

If you have a Microsoft Account (Live ID) username or alias that matches your Work or School Account (Azure AD) UPN, you will probably see a Home Realm Discovery prompt with annoying regularity. This is natural, and expected behaviour, but Microsoft has been taking steps to improve this experience, as detailed in their Cleaning up the #AzureAD and Microsoft account overlap article. Unsure if this is relevant to you? It is if you see this:

Interestingly, there is also now a link in some of these dialogue boxes which will prompt a user to resolve the issue by changing their conflicting Microsoft account username to some new alias. That prompt links to this support article. The basics of that process are:

Add new alias

Verify alias

Make new alias primary

Remove old alias

However, when I tried to make my new alias primary, the option was missing. I could only remove it. If I tried to remove the primary alias I was told to make the other alias primary first. Stuck! My colleague had five non-primary aliases, and just one of them was also missing this option. We tried a few things like signing on with the alias to see if that made a difference, but the option never appeared. Then, after a helpful suggestion from Oren Novotny I tried removing and adding the alias to see if that changed anything. Then, I couldn’t add it back at all. I would get this, “You can’t add a work or school/university email address as an alias to a personal Microsoft account. Please try another”, error:

This is precisely the restriction that Microsoft has put in place to prevent unnecessary Home Realm Discovery prompts, but we are unexpectedly seeing it when adding an alias. After a bit of testing, it appears that the restriction is scoped at the Azure AD Registered Domain Name. Organisations may register domain names with Azure AD either to prove ownership of a domain name for account creation, or for e-mail addresses/aliases. In my case (and my colleague’s), we added aliases to our Microsoft Accounts from registered domain names before Microsoft put this registered domain name restriction in place and we were trying to make these e-mail aliases our new primary Microsoft Account username after the restriction was introduced. The secondary issue here is that we hadn’t expected this restriction to take effect if the new alias didn’t in fact exist as an Azure AD username.

So… this all kind of makes sense once we put the pieces together, although it would be good if the Microsoft Account Manage How You Sign In to Microsoft page offered an explanation of why the alias cannot be made primary. This probably seems like the obscurest of issues, but I suspect many people will encounter it, since Microsoft are encouraging us to make a non-conflicting alias primary. The ultimate solution to this problem will require creation of a new alias in a namespace that hasn’t been registered with Azure AD.

Over the last couple of years we’ve started doing less AD FS work, with the advent of Password Hash Sync for Azure AD sign-on, and Microsoft’s continued investment in Azure AD Premium. We’ve also seen a few organisations struggle to operate AD FS successfully, even if I personally like the technology. So I’ve changed our approach to unveil all of this with as much realism as possible, and to draw some feature comparisons in both directions. We also spend a lot of time talking about expectations of SSO, and how the ways we think about SSO on the web aren’t quite as automatic as what we get with Windows hashes and tickets.

So… what this means is that we don’t do as much AD FS work anymore, and when Microsoft released a hotfix for AD FS in the August 2014 update rollup, it didn’t catch my eye. This hotfix and the related configuration that needs to be added to the AD FS trust with Azure AD are documented in the newer Configure Persistent Single Sign-On article, and I first picked up on this configuration in the Azure MFA article for AD FS. At any rate, this configuration specifies two new Issuance Transformation Claims Rules for the AD FS Relying Party Trust with Azure AD (AKA “Microsoft Office 365 Identity Platform”):

After recently hitting the default two year expiration point with our SharePoint development environment’s AD CS-issued SSL certificates, I set about updating that environment with a new five year template. I took this opportunity to see if I could make it as good as possible without breaking compatibility with anything. I will discuss some of these compatibility issues along the way. I will also make the certificate exportable, make sure it’s using the SHA256 hash (SHA1 will be deprecated in the near future), change the Certificate Authority (CA) configuration so that HTTP Distribution Points will be contactable from “outside the network”, and set permissions on the template in a way that it will be generally usable.

Steve Peschka tackled some of these basics about 18 months ago, but as he notes, his posts covers the simplest updates you can make. I think a few other options are worth considering. I don’t pretend to know all that there is to know about Active Directory Certificate Services (AD CS), or PKI in general, but I do think we can advance considerably beyond the default with a few changes. This is not a well-documented subject, so I hope to pull a few disparate resources together and propose an improved template. If you think anything here can be improved further, please post in the comments and I’ll try to incorporate that feedback.

Microsoft and other large software vendors often fall foul of criticisms that products overlap significantly, or that discreet functionality in one product has been written afresh when the facility is already mature in another technology. As I’ve grown to know it better, I think Microsoft’s Forefront Identity Manager (FIM) provides some interesting examples of the benefits and drawbacks of product re-use. I put these thoughts out as a set of considerations to counter the view that reuse is always a positive thing.

Note: I wrote this article a long time ago, and have always been on the fence about posting it because it’s an editorial rather than purely technical content. I’m not 100% certain this is the right place for this content, but I am publishing it here now rather than letting it rot. Because this was written a long time ago, some references are dated. Like this doesn’t speak of MIM, AADSync or AAD Connect in any detail, so put that knowledge to one side for now.

Many people think of AD FS as merely a federated authentication service. And with a name like Active Directory Federation Services, it’s easy to see why. However, it also has the capacity to make authorisation decisions within its Claims Engine. This may be most familiar as the Office 365 Client Access Policies, but those policies are basically just a flavour of AD FS Issuance Authorisation Rules. An AD FS Issuance Authorisation rule provides a gate at AD FS, where permissions can be granted or denied to authentic users, per-Relying Party, before giving the user Claims for the requested Relying Party. In most cases we will think about these rules as coarse controls, to block a wide category of requests, such as those originating from outside the network, for members of a group, or for any combination of request-based, device-based and user attribute-based Claims. We can even create authorisation rules based on the user’s Identity Provider, or from additional factors of authentication. We will typically still implement most of our authorisation logic within the Relying Parties we are authenticating to, but in some cases it’s very useful to control access at this intermediary tier – especially if a large class of users, devices or networks should be treated as higher risk.

These concepts are not new, and the TechNet documentation I reference here dates back to the earliest wave of AD FS 2.0 RTW content:

Ultimately, I think these articles do answer the question of how to create an AD FS Issuance Authorisation rule, but I can’t point very clearly to the place on these pages that spells it out, and I do think there is a lot of confusing information about this in other places which may lead people astray. Namely, there is a lot of information that only concerns itself with the default Active Directory Claims Provider Rules and the Claims that come from request headers. Also, some of the most referenced AD FS + SharePoint content seems to have been written without authorisation rules in-mind. I want to try to clear some of that up in this post.

UPDATE 24/2/2015
I’ve added a fairly significant update regarding the new MFA stage in the pipeline half-way down this post.

Does the Web Application Proxy or AD FS have any separate controls for adjusting token lifetimes to a different value via WAP than directly at AD FS? I can see there’s a session cookie for EdgeAccessCookie that WAP issues but this seems to be entirely undocumented at present. I’ve poked around in C:\Windows\ADFS\Config\microsoft.identityServer.proxyservice.exe.config (also undocumented as far as I can tell) but I’m not finding anything there either. We used to have some of these controls (sort of) with TMG/UAG. Are they totally gone now? With the AD FS Proxy this was less of an issue because it was only publishing AD FS but this is something that I’d hope to be able to control with a Reverse Proxy. Any ideas?

After the user is authenticated, the AD FS server issues a security token, the ‘edge token’, containing the following information and redirects the HTTPS request back to the Web Application Proxy server:

The resource identifier that the user attempted to access.

The user’s identity as a user principal name (UPN).

The expiry of the access grant approval; that is, the user is granted access for a limited period of time, after which they are required to authenticate again.

Signature of the information in the edge token.

Web Application Proxy receives the redirected HTTPS request from the AD FS server with the edge token and validates and uses the token as follows:

Validates that the edge token signature is from the federation service that is configured in the Web Application Proxy configuration.

Validates that the token was issued for the correct application.

Validates that the token has not expired.

Uses the user identity when required; for example to obtain a Kerberos ticket if the backend server is configured to use Integrated Windows authentication.

If the edge token is valid, Web Application Proxy forwards the HTTPS request to the published web application using either HTTP or HTTPS.

This quickly became one of those things where there was insufficient documentation and limited project time, so I had to put this inquiry on hold. Then in July, I posted a question on the Application Proxy blog (a great resource), to see if this is something that they planned to document. The response that I got from Ian Parramore was unexpected and pleasing:

A month or two ago I read an eye opening presentation called Shining the Light on Flashlight and the Security of Thousands of Mobile Apps. It’s worth a quick read, especially pages 42 onwards, where the risks of flashlight apps are unveiled. Although the presentation focuses on security risks among the most popular Android and iOS apps, I noticed that pretty much all of the Windows Phone flashlight apps have similarly questionable requirements.

Why does a flashlight need to know where I am? Or have access to my files? Or send a raft of data all over the place? Needless to say, I got rid of my flashlight app.

Fast forward a week or two, and I needed a flashlight (or a torch, as we say in the UK). I decided to use my screen, which was pretty week, and then it occurred to me that I could enable the flash on my camera while in video mode, which does precisely what a flashlight app would do, without the app. It’s not many more “clicks” than launching and enabling an app (especially if I use the hardware key for the camera), and achieves the same result. I don’t know how well this work on other platforms, but I’m struggling to see why it wouldn’t. Hope this helps someone.